diff --git a/modules/programs/git.nix b/modules/programs/git.nix
index e5470ca3..fa652258 100644
--- a/modules/programs/git.nix
+++ b/modules/programs/git.nix
@@ -118,7 +118,7 @@ in {
         };
 
         format = mkOption {
-          type = types.enum [ "openpgp" "ssh" "x509" ];
+          type = types.nullOr (types.enum [ "openpgp" "ssh" "x509" ]);
           defaultText = literalExpression ''
             "openpgp" for state version < 25.05,
             undefined for state version ≥ 25.05
@@ -130,13 +130,13 @@ in {
         };
 
         signByDefault = mkOption {
-          type = types.bool;
-          default = false;
+          type = types.nullOr types.bool;
+          default = null;
           description = "Whether commits and tags should be signed by default.";
         };
 
         signer = mkOption {
-          type = types.str;
+          type = types.nullOr types.str;
           description = "Path to signer binary to use.";
         };
       };
@@ -493,25 +493,35 @@ in {
     (mkIf (cfg.signing != { }) {
       programs.git = {
         signing = {
-          format = mkIf (versionOlder config.home.stateVersion "25.05")
-            (mkOptionDefault "openpgp");
-          signer = mkIf (cfg.signing.format != null) (mkOptionDefault {
-            openpgp = getExe config.programs.gpg.package;
-            ssh = getExe' pkgs.openssh "ssh-keygen";
-            x509 = getExe' config.programs.gpg.package "gpgsm";
-          }.${cfg.signing.format});
+          format = if (versionOlder config.home.stateVersion "25.05") then
+            (mkOptionDefault "openpgp")
+          else
+            null;
+          signer = let
+            defaultSigners = {
+              openpgp = getExe config.programs.gpg.package;
+              ssh = getExe' pkgs.openssh "ssh-keygen";
+              x509 = getExe' config.programs.gpg.package "gpgsm";
+            };
+          in mkIf (cfg.signing.format != null)
+          (mkOptionDefault defaultSigners.${cfg.signing.format});
         };
 
-        iniContent = let inherit (cfg.signing) format;
-        in {
-          user.signingKey = mkIf (cfg.signing.key != null) cfg.signing.key;
-          commit.gpgSign = mkDefault cfg.signing.signByDefault;
-          tag.gpgSign = mkDefault cfg.signing.signByDefault;
-          gpg = {
-            format = mkDefault format;
-            ${format}.program = cfg.signing.signer;
-          };
-        };
+        iniContent = mkMerge [
+          (mkIf (cfg.signing.key != null) {
+            user.signingKey = mkDefault cfg.signing.key;
+          })
+          (mkIf (cfg.signing.signByDefault != null) {
+            commit.gpgSign = mkDefault cfg.signing.signByDefault;
+            tag.gpgSign = mkDefault cfg.signing.signByDefault;
+          })
+          (mkIf (cfg.signing.format != null) {
+            gpg = {
+              format = mkDefault cfg.signing.format;
+              ${cfg.signing.format}.program = mkDefault cfg.signing.signer;
+            };
+          })
+        ];
       };
     })
 
diff --git a/tests/modules/programs/gh/credential-helper.git.conf b/tests/modules/programs/gh/credential-helper.git.conf
index 8b712cd8..29944174 100644
--- a/tests/modules/programs/gh/credential-helper.git.conf
+++ b/tests/modules/programs/gh/credential-helper.git.conf
@@ -1,6 +1,3 @@
-[commit]
-	gpgSign = false
-
 [credential "https://github.com"]
 	helper = "@gh@/bin/gh auth git-credential"
 
@@ -12,6 +9,3 @@
 
 [gpg "openpgp"]
 	program = "path-to-gpg"
-
-[tag]
-	gpgSign = false
diff --git a/tests/modules/programs/git/default.nix b/tests/modules/programs/git/default.nix
index a1211f25..4c7baa6a 100644
--- a/tests/modules/programs/git/default.nix
+++ b/tests/modules/programs/git/default.nix
@@ -6,5 +6,6 @@
   git-with-signing-key-id-legacy = ./git-with-signing-key-id-legacy.nix;
   git-with-signing-key-id = ./git-with-signing-key-id.nix;
   git-without-signing-key-id = ./git-without-signing-key-id.nix;
+  git-without-signing = ./git-without-signing.nix;
   git-with-hooks = ./git-with-hooks.nix;
 }
diff --git a/tests/modules/programs/git/git-with-email-expected.conf b/tests/modules/programs/git/git-with-email-expected.conf
index d7c40973..5a0d9a6b 100644
--- a/tests/modules/programs/git/git-with-email-expected.conf
+++ b/tests/modules/programs/git/git-with-email-expected.conf
@@ -1,11 +1,8 @@
-[commit]
-	gpgSign = false
-
 [gpg]
 	format = "openpgp"
 
 [gpg "openpgp"]
-	program = "path-to-gpg"
+	program = "@gnupg@/bin/gpg"
 
 [sendemail "hm-account"]
 	from = "H. M. Test Jr. <hm@example.org>"
@@ -21,9 +18,6 @@
 	smtpSslCertPath = "/etc/ssl/certs/ca-certificates.crt"
 	smtpUser = "home.manager"
 
-[tag]
-	gpgSign = false
-
 [user]
 	email = "hm@example.com"
 	name = "H. M. Test"
diff --git a/tests/modules/programs/git/git-with-email.nix b/tests/modules/programs/git/git-with-email.nix
index c1a375b9..db6053a5 100644
--- a/tests/modules/programs/git/git-with-email.nix
+++ b/tests/modules/programs/git/git-with-email.nix
@@ -8,7 +8,6 @@
 
   programs.git = {
     enable = true;
-    signing.signer = "path-to-gpg";
     userEmail = "hm@example.com";
     userName = "H. M. Test";
   };
diff --git a/tests/modules/programs/git/git-with-msmtp-expected.conf b/tests/modules/programs/git/git-with-msmtp-expected.conf
index 8cf588c7..3d636a8b 100644
--- a/tests/modules/programs/git/git-with-msmtp-expected.conf
+++ b/tests/modules/programs/git/git-with-msmtp-expected.conf
@@ -1,6 +1,3 @@
-[commit]
-	gpgSign = false
-
 [gpg]
 	format = "openpgp"
 
@@ -19,9 +16,6 @@
 	from = "H. M. Test <hm@example.com>"
 	smtpServer = "@msmtp@/bin/msmtp"
 
-[tag]
-	gpgSign = false
-
 [user]
 	email = "hm@example.com"
 	name = "H. M. Test"
diff --git a/tests/modules/programs/git/git-with-str-extra-config-expected.conf b/tests/modules/programs/git/git-with-str-extra-config-expected.conf
index 2154bc58..8c9b7ee1 100644
--- a/tests/modules/programs/git/git-with-str-extra-config-expected.conf
+++ b/tests/modules/programs/git/git-with-str-extra-config-expected.conf
@@ -1,17 +1,11 @@
 This can be anything.
 
-[commit]
-	gpgSign = false
-
 [gpg]
 	format = "openpgp"
 
 [gpg "openpgp"]
 	program = "path-to-gpg"
 
-[tag]
-	gpgSign = false
-
 [user]
 	email = "user@example.org"
 	name = "John Doe"
diff --git a/tests/modules/programs/git/git-without-signing.conf b/tests/modules/programs/git/git-without-signing.conf
new file mode 100644
index 00000000..f05c7b6c
--- /dev/null
+++ b/tests/modules/programs/git/git-without-signing.conf
@@ -0,0 +1,3 @@
+[user]
+	email = "user@example.org"
+	name = "John Doe"
diff --git a/tests/modules/programs/git/git-without-signing.nix b/tests/modules/programs/git/git-without-signing.nix
new file mode 100644
index 00000000..95a70b94
--- /dev/null
+++ b/tests/modules/programs/git/git-without-signing.nix
@@ -0,0 +1,16 @@
+{
+  programs.git = {
+    enable = true;
+    userName = "John Doe";
+    userEmail = "user@example.org";
+  };
+
+  home.stateVersion = "25.05";
+
+  nmt.script = ''
+    assertFileExists home-files/.config/git/config
+    assertFileContent home-files/.config/git/config ${
+      ./git-without-signing.conf
+    }
+  '';
+}